The World of Work by Harry Sherrard

GDPR and Data Protection

For obvious reasons, GDPR and data protection have not been in the forefront of employees’ minds for the last 18 months but like all the other legislation affecting employer/employee relations, it hasn’t gone away. I was reminded of this recently when a client received a grievance from an employee complaining about how his data had been processed. As part of a redundancy consultation there was the possibility of an alternative position for this employee in a different department, which is managed by a director to whom he does not currently report. To enable that director to consider the situation, information about the potentially redundant employee was sent to the director concerned, and it was this sharing of information about the employee to which he objected. His grievance is that information about him was shared (i.e. “processed”) without his consent. Does he have a valid complaint?

It is a common misconception that individuals have to give consent for their data to be processed. In fact, GDPR sets out 6 lawful grounds for the processing of data, consent being one of them. But in the situation we are dealing with, a number of other grounds apply. Lawful processing of data takes place when it is necessary for the performance of a contract. Here, there is an employment contract in place, and in order to perform the contract the employer has to share information about the employee; and after all, exchange of information about employees takes place constantly between HR and line management. Another lawful ground for processing data is that it is necessary for the employer to comply with the law, including contractual obligations. The law on unfair dismissal requires employers to consider alternative positions when consulting with employees about redundancy. Therefore, the discussion with the other director was necessary to comply with this legal obligation. In addition to this, data can be lawfully processed where it is necessary for the legitimate interests of the employer, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. The latter would not apply here.  

So, consent is not needed in the situation discussed here, where information about length of service, job role, qualifications, skills, history with the business and other similar information is exchanged between HR and line management. And since the director of the department to which the employee might transfer needs to do a budget, information about the employee’s salary would also be covered by the lawful bases of processing data described above. All this should be made clear in your data protection policy, which should be made available to all employees.

Remember, however, when the data to be processed involves the employee’s medical history and/or certain other sensitive information, known as “special category data”, explicit consent should be obtained.

Within our empLawyer® Policy Package we provide an up-to-date data protection policy. To find out more, contact or call our main office number on 01273 834120.

Our retainer package, empLawyer®,is a fully flexible risk management package offering legal protection for complete peace of mind. As a retained client you not only benefit from the provision of our services at a reduced hourly rate, but you also gain access to the full range of supplementary services that are provided by our empLawyer® service. These include free places at all webinars on topical subjects – pandemic related or otherwise, access to our empLawyer® Policy Package – 20 up-to-date Policies as well as 24-hour online access to our How to Guides.

Back to Blogs Page

Go to News for the latest about the industry